Preventing Sophos potential false positive

Hello Sophos_User,

the recent "issue" might appear as simple to avoid as it is scary (booting into Safe Mode on many machines is not fun).

Allow me some general remarks first: An issue like this is very unlikely but - as we saw - unlikely isn't impossible. We are dealing with a system of sufficient complexity here so even in theory such incidents are not avoidable - or better: Theory tells us that we can't prove it's error-free. And - this too is inherent to complex systems - a malfunction in a security layer can cause the same effects it should protect against. Thus it's all about reducing the risks and be assured, no vendor (and no serious "open" group) treats this in a frivolous manner. **bleep** happens also in the AV industry - but seldom.

Now what do you gain from delaying updates? Details aside, you might not protected from the latest threats. This offsets at least part of the reduced risk - and I daresay all in all it increases your risk. The same is already true for certain OS and application patches.

The questions are whether your "pilot" machines are "typical" and how long you should wait. In my opinion - but I may err - the engine and library pose the lesser risk. It's more likely that new IDE has "unexpected" side-effects and as they are usually applied also to the earlier versions it doesn't matter that you delayed the version update. The good news is that a correction travels the same path and unless your clients went belly up the problem might have been corrected before you notice.

Still - in the past years I have seen one or two "near hits". The impact depends on the tools you have available and whether you have remote access to the clients or not. In principle you face the same problem as when you've been hit by malware - except that you don't have to worry about additional hidden items and whatever.

I might become imprudent or just lazy with age but I think that it's just not worth the effort (and I say this with a background of some 20 years on the mainframe where it was guaranteed that a "mishap" affected everything and all users ... :smileywink:)

Dissenting opinions welcome

Christian

While I don't have the 20 years of experience that QC does, I agree that it's less hassle and risk (overall) to keep everything up to date.  Even in your worst case scenario where Sophos goes down the same route as McAfee and can't tell the difference between the genuine svchost.exe and a virus, you still leave your systems open by trying to prevent this.

For example, say you set Sophos to alert only.  While in the hypothetical situation above this will allow you to verify that svchost.exe is not a virus and resolve the issue, between these times you'd have all the real viruses spreading across your systems infecting everything they come into contact with.

While 'alert only' may be taking things a bit too far and delaying updates may seem a better option, remember that any allowances you make for false positives will also apply to genuine positives.  This of course depends on your situation, but in my experience rescuing a system in safe mode once in a blue moon is a lot easier than rescuing hundreds of systems from a virus infection every two days.

Judging the risk in these cases is absolutely key.  In certain cases I can think of,  the damage done by a false positive may well be significantly greater than that of a virus.  

Welcome barnet,

In certain cases I can think of,  the damage done by a false positive may well be significantly greater than that of a virus

Yup, but that's not the point. In certain cases the damage done by taking a drug may well be greater than that of a disease. But damage is only one factor to consider. The simplistic model is:  Risk = Damage * Likelihood. Otherwise only a few of us would ever board a plane or even think of crossing the street.

Of course you could apply a different AV- and AU-policy to select computers where the likelihood of infection is significantly lower than in other parts of your network iff your network and (most) clients are protected.  

Christian

Sorry to barge in here but this thread was just about the only thing I could find online related to my recent issue. I thought it might be good to comment in case anyone else out there on the interwebs needs the info.

As well as false positives protecting against 'incoiming' you also need to be aware of false positives when clients are visiting your website.

Over the last 2 weeks we became aware that our website was being flagged as malicious. Obviously this had a major impact on turnover. It was only a client that told us that our site was flagged.

Sophos did eventually include a patch in their next update once it was brought to their attention (and after applying enough pressure). The problem is that our company is not big enough to even purchase the offending software in order to test for such a false possitive.

I wonder why companies such as Sophos feel that it is ok to damage the reputation of another company while not even having the regard to notify them of their actions.

More info at http://www.distinctivedoors.co.uk/news/10

Hello and welcome,

chossing this thread (instead of starting a new one) is IMO a godd decision as your post highlights a different aspect of false positives. While being flagged as "malicious" is more than unpleasant it not only happens with AV products but other services (especially email) as well.

Good to hear that it has been resolved.

I don't know what details Sophos told you. Anyway I'll put in my two cents. There are basically two ways to create blacklists. One is active scanning, the other collecting data during normal operation. An example of the former was probing for  "open mail relays" which then found themselves on blacklists (the use of these lists was optional and subject of fierce debate). "Decent" blacklisters informed (or tried to inform) the site's administrator in case of a detection. Nowadays active unsolicited scanning is practically unfeasible (even the big search engines no longer use it as their primary tool) and data is collected during normal operation. All major vendors' gateway products (email and web and network components) optionally collect data to identify "problem sites" which can help to improve performance but also protect against unknown threats. This information might also be used in client products. That's the rationale.

Now I imagine that there's quite some amount of (new) data every day. As there is no "standard contact" for a website it is not possible to send a notification automatically. I don't know if (and how) and under which circumstances Sophos (and other vendors) attempts to find a contact to send the notification to (I know they do). If you are wrongly blocked and haven't been informed (and are rather small) your best chance are your clients (and I might add this is also true if your site has indeed been compromised).

I wonder why companies such as Sophos feel that it is ok to damage the reputation of another company while not even having the regard to notify them of their actions.

I don't think that these companies are taking this lightly. The risk of false positives is always here and even bigger is the risk that the information is misinterpreted. But without protection it would be even worse. So it's always a trade off - sad as it is.

Christian

Hi Everyone,

When I went to Sophos 4 years ago I planned for false positives by using Sophos' quarantine in place settings in the AV policy. This has helped in many cases. The largest of which was last year's Dec 2009 IDE release from Sophos that flagged 1,000s of pdfs as viruses across our enterprise. This was resolved within 2 hours without a need to restore or move the pdfs back to there original places.

The above solution would not have prevented the McAfee issue since their false positive took down systems. But it would have helped in restoring systems faster because the files would have still been in their original locations. (There may have even been a way to work around the problems but thankfully we have not seen first hand.)

We are still on the EM Library but use Recommended and Previous versions:

We use previous version on Servers and labs to reduce engine change issues from occurring to areas we can control. There is a 2 week delay used before moving the previous version up to the recommended fixed version.

The recommended version is used across all other systems which allows us a chance to see if issues will occur. There have been a few times the engine version change has crashed our NetWare servers or caused issues with our Windows servers but over all things are pretty good.

I hope this helps.

Thannks,

VCU